A simple guide to Care.data

You might have missed the leaflet that would have come through your letterbox last month
explaining Care.data, but all 26 million households in England were
supposed to have been sent one. It was titled "better information
means better care" and looked much like any other bit of junk
mail.

However, the leaflet's contents are extremely important and
shouldn't be ignored. It revealed -- for the first time to most
people who don't closely follow the medical sector -- that patient
data stored in GP surgeries across the UK is to be extracted and
placed in a central set of databases. The leaflet talked of the
benefits of the scheme, but said that anyone wanting to opt out
"should speak to" their GP.

The initiative has caused considerable confusion and anger,
largely because it has been so poorly communicated. As a result, 40
percent of GPs have said they intend to opt themselves out of the
scheme, according to a Pulse survey. Wired.co.uk has created a simple guide
to Care.data, explaining what it is, why people are concerned and
how to opt out.

What is Care.data?
Care.data is an NHS England initiative to take data from your GP
records and upload them to the national Health and Social Care
Information Centre (HSCIC) databases. The aim -- at least nominally
-- is to combine this with existing hospital records in the HSCIC
database to provide a picture of the care being delivered between
different parts of the healthcare system and to identify areas
where more work or investment might be needed. The NHS
says that Care.data will help find more effective ways of
preventing or managing illness; monitor the risk of disease spread;
streamline inefficiencies and drive economic growth. The data will
be updated each month and will be taken automatically from every
patient in England, unless you explicitly opt out.

Didn't this already happen?
No. For the last few decades the NHS Information Centre has
collected patient data from hospitals, which it has used to
identify, for example, the problems within the Mid Staffordshire Trust. The HSCIC was created by the Health
and Social Care Act 2012 in preparation for this data gathering,
and launched in April 2013. The same data has not been collected
from GPs. Until now.

What are the potential benefits of using this
data?
From a research point of view, this data could be enormously
valuable. Not having access to this data means that the NHS is, in
some cases, allocating resources blindly, not knowing with accuracy
where gaps in healthcare provision are occurring. Moreover, the
datasets could provide an incredibly useful resource for
third-party researchers investigating the effectiveness of certain
drugs, giving them access to enormous samples and an ongoing stream
of data.

Is it that big a deal if it's already happening with
hospital data?
Most people visit hospital much less frequently than they do their
GP. GPs will generally have someone's lifetime of conditions,
prescriptions, family history, blood tests and referrals. It's a
much, much richer dataset.

What data will be sent to the HSCIC for
Care.data?
The data that will be extracted from GP systems includes:
referrals, NHS prescriptions, your family history, vaccinations,
blood test results, body mass index, smoking/alcohol habits etc --
dating back to April 2013. The information will be extracted as a
series of codes, not as words or sentences. Identifiers, including
date of birth, postcode, NHS number and gender are required in
order to link the GP data with the data from hospitals. These
details will be pseudonymised in order to link with other
healthcare data, and the identifiers will be stored separately.
Critics believe that HSCIC retains, at the very least, a look-up
table for these identifiers.

Will anything be left at my GP?
Free text notes -- conditions are all coded and it's these codes
that are extracted -- and "sensitive data", which includes details
of infertility and assisted conception, sexually transmitted
infections, abortions, gender identity matters and abuse. However,
this list "might be reconsidered" at a later date.

Don't I have to give consent in order for my GP to share
my data?
If your data is being used for your direct medical care, there is
an "implied consent". However, if data is not being used for direct
care then it is considered a "secondary use" and one might assume
that this would require consent. However, the matter of consent is
bypassed by the Health and Social Care Act 2012, which legally
obliges GPs to hand over patient data if NHS England directs HSCIC
to request it -- patients don't get to opt in, they can only opt
out. But even the opt out option isn't a legal requirement, and
HSCIC wasn't planning on having it initially, before magnanimously
deciding to allow some patient choice.

Will doctors and nurses treating me have access to this
information?
No. Medical staff in the hospital will not be able to see your GP
history -- which you might think would be useful. Care.data is
about "secondary use" of your medical data, for example planning
health services and conducting medical research, as opposed to
helping you as an individual at the point of service.

Who can access the data?
Information from your Care.data record will be made available to
organisations within the NHS (such as commissioning bodies) but
also outside of the NHS, potentially (subject to approval) to
pharmaceutical companies, health charities, universities, hospital
trusts, think-tanks and other private companies.

Is the data being sold?
Approved organisations that access the data will have to pay a fee
(of between £800 and around £10,000 depending on which dataset is
accessed). Critics say this means your data is being sold, but
HSCIC insists this is a processing cost and that it won't be making
any profit -- it's merely covering costs (which might seem quite
high). The companies that extract the data will be able to use it
for profit-making initiatives.

Will all of my data be treated in the same
way?
No. There are three types of data that are protected by a
different set of safeguards, as outlined by the Information Commissioner's code of practice on anonymisation.
There is "green data", which are anonymous or aggregated; "amber
data", which are pseudonymised and "red data", which are personal
and confidential. All of this will be included in the initial
extraction, but then sliced up accordingly.

Green datais the most general and the
least contentious: it will involve the publication of average
values for large groups of patients or completely anonymous
figures. So one might compare the average time it took for patients
to have an operation in hospital after going to a GP with symptoms
for a particular condition between two patient care trusts. This
data will be made public.

Red datais personal, confidential data
that includes your postcode, date of birth and NHS number and other
identifiers that can be used to easily identify a patient.
Care.data extracts this information so that it can connect GP data
with other healthcare data, including hospital data. HSCIC says
that this red data will only be made available in a few exceptional
circumstances, such as a public health emergency.

Amber datais a little bit more tricky.
It's individual level and "pseudonymised", meaning that each
patient's identifiers (date of birth, postcode etc) have been
stripped out and replaced with a pseudonym. The amber data is
incredibly valuable as it can be used for tracking how individuals
interact with different parts of the NHS or social care over time.
In theory, this data could be re-identified by linking them to
other data sets. So this Amber data won't be published and will
only be made available to "approved analysts for approved
purposes". These may include pharmaceutical companies, health
charities, universities and hospitals.

Is it a one-off upload? No. It will be uploaded every month to create a rolling,
historical dataset.

So what are people worried about then?
There are a number of key concerns:

The lack of informed consent or control over what
happens to medical data. It feels like this is being
foisted upon patients.

The fear that their data will be re-identified
and used against them. This is exacerbated by the lack of
certainty about where people's data will be used. Many people are
OK with their data being used to improve NHS services, but feel
uncomfortable with their data being sold on to third parties such
as pharmaceutical companies, with a particular concern about
insurance companies getting hold of the data and potentially
re-identifying it and using it to influence insurance
premiums.

That storing the data centrally leaves it
vulnerable to being hacked or there being some other kind
of data breach (the old laptop-left-on-train classic).

That it's been communicated so badly
that people don't know what is happening with their
data.

These are compounded by a lack of trust in the government
(particularly in the wake of Edward Snowden's revelations) and the
NHS's ability to manage large-scale IT projects.

Are these worries founded?
The worries are definitely founded, but may have been overstated.
Let's address them one by one.

Lack of informed consent or control over what happens
to medical data: Many people believe that the relationship
between a GP and a patient is a confidential one and that if data
is being shared beyond that, particularly if it may land in the
hands of third parties, patients need to give consent. Thanks to a
legal loophole, patients are not required to give consent to hand
over this data. It seems that many people instinctively feel that
this data shouldn't be shared in this way, despite the fact that
it's being shared within a legal framework. Supporters of Care.data
argue that data generated through the delivery of public services
should be shared in this way. Medconfidential's Phil Booth
points to an existing, separate programme called the General Practice Research
Datalink, which is opt-in and patients can choose which
research programmes they contribute to. He wonders why Care.data
was not implemented in this way.

The fear that data will be reidentified and used
against them by third parties: It is entirely
possible for pseudonymised, "amber" datasets to be reidentified
through a jigsaw attack. There are many studies that support how
easy this is to do. HSCIC argues that the access to the datasets
will be very tightly controlled and that reidentification would
represent a breach of contract, and that any attempts to reidentify
data may lead to an ICO fine of up to £500,000 -- which Booth
describes as a "rounding error" in the bottom line of a
pharmaceutical company's P&L, "assuming the ICO finds out or
enforces".

However, that won't stop the police from having access to
HSCIC's datasets, if you believe David Davis MP, who told the Guardian that police will be able to
access the health records of people suspected of committing serious
crime via a back door. He confirmed how easy it is to reidentify
supposedly pseudonymised data: "I have had my nose broken five
times. Once you know that, I am probably in a group of 100 people
in England. Then you figure out when I had my diphtheria jab,
usually done at birth, and bang you got me. Let me be clear: people
can be identified from this data."

That storing the data centrally leaves it vulnerable to
being hacked: With any data release, there is a risk of
data breach. The same applies to medical records stored locally
with the GP. However, large centralised databases present a bigger
risk -- any breach may be at a population scale, rather than a
local scale. And the NHS has formerly been hacked. Even if some of the more sensitive
datasets aren't placed online, they are not immune to being
breached by a disreputable or careless staff member.

That it's been communicated so badly people
don't understand what they are opting out of:
Whichever side of the fence you are on, Care.data has been
communicated appallingly badly. Information is fragmented, full of
NHS jargon and neither the benefits nor the risks, nor the details
of the programme have been clearly communicated to patients -- the
taxpayers who fund the NHS. The lack of certainty over what is
going on inevitably leads to fear.

Wired.co.uk has tried to piece together the information, which
is tucked away in PDFs, spreadsheets, addendums, microsites, press
office request, FOI requests, interviews and leaflets. The absolute
crux of the issue seems to be what -- exactly -- you can and can't
opt out of. But Wired.co.uk is told that we have to wait until
Monday until two people get back from holiday to explain the
details. This is something that the ICO has already flagged as a
problem. Tim Kelsey, National Director for Patients and
Information, reluctantly accepted that some of the
communications could be clearer. Currently the clearest form of
information about Care.data is provided by critics who have pieced
together information, not the NHS.

Can I opt out?
Yes. There are two levels of opt-out.

So what can I opt out of?
It's not 100 percent clear. What we do know is that there are two
levels of opt out. The first lets you opt out of "identifiable
data" leaving your GP. The second lets you opt out of "identifiable
data" from leaving HSCIC, except for extreme cases where there is a
public health emergency, you have given your explicit consent or
the police want to have a look. What isn't clear is whether they
categorise "potentially identifiable" or "pseudonymous data" as
identifiable and how exactly the second option works. Wired.co.uk
repeatedly asked the NHS about this, but we've been told that the
two people who can best explain this to us are on holiday and can't
explain this until Monday. [SEE UPDATE BELOW]

Can I ask that certain conditions be excluded from the
extraction?
No. Unless it is categorised as one of the "sensitive" pieces of
data by HSCIC it will be taken in the extraction. So you can't
choose to exclude, for example, your smoking history from the
extraction.

Can I say that I'm OK with some third parties having
access to my data, but not others?
You can't. So you can't say "I'm OK with academic institutions
having access to my data but not pharmaceutical companies or
insurance".

How do I opt out?
Your GP needs to put a special code against your records to make
sure your data isn't included. This website has a form you can
fill out or you can call your GP.

Updated 10/02/2014: Regarding the
opt-out options, a spokeswoman for the NHS told Wired.co.uk
that if you opt out of data flowing from your GP practice (Type 1
objection), no red or amber data will be extracted. Nor would green
data be extracted for care.data, although green data will still be
used in some other cases, such as The Quality and Outcomes
Framework (QOF), an initiative that rewards GPs for the provision
of "quality care".

The Type 2 objection (relating to data flowing out of HSCIC
-- which includes records from hospitals and other social care
areas) only relates to identifiable "red" data. So potentially
reidentifiable amber data and the aggregated green data will still
flow. If a patient makes a Type 1 objection and a Type 2 objection,
then a message containing the patient's NHS number and objection
code does end up flowing to the HSCIC.

In short: If you don't want your data leaving your GP, make
sure to exercise your right to the Type 1 objection.